U.S. Treasury Department Active in Addressing Cybersecurity Issues

The U.S. Treasury Department recently issued two press releases concerning cybersecurity.  First, the Treasury Department created a cybersecurity information sharing initiative for U.S. digital assert companies.  Second, the Treasury Department sanctioned actors who stole trade secrets involving cybersecurity tools from a U.S. company.  The Press Releases are below. 

Treasury Launches Cybersecurity Information Sharing Initiative for the Digital Asset Industry

WASHINGTON – Today, the U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP) announced a new initiative to strengthen cybersecurity across the digital asset industry. The initiative will provide timely, actionable cybersecurity information to eligible U.S. digital asset firms and industry organizations, helping them better identify, prevent, and respond to cyber threats targeting their customers and networks. The effort advances a key recommendation from the President’s Working Group on Digital Asset Markets report, Strengthening American Leadership in Digital Financial Technology.

Treasury leadership highlights the growing importance of digital asset firms to the broader financial system.

“Digital asset firms are an increasingly important part of the U.S. financial sector, and their resilience is critical to the health of the broader system,” said Luke Pettit, Assistant Secretary for Financial Institutions. “By extending access to the same high-quality cybersecurity information used by traditional financial institutions, Treasury is helping promote a more secure and responsible digital asset ecosystem.”

Treasury also emphasized that cybersecurity is foundational to the future of digital finance and essential to responsible innovation.

“This initiative reflects the principles of the GENIUS Act by promoting responsible innovation grounded in strong cybersecurity and operational resilience,” said Tyler Williams, Counselor to the Secretary for Digital Assets. “As digital assets become more integrated into the financial system, access to timely and actionable cyber threat information is essential to protecting consumers and safeguarding the stability of U.S. financial markets.”

Treasury cybersecurity officials noted that the initiative responds directly to a rapidly evolving threat environment.

“Cyber threats targeting digital asset platforms are growing in frequency and sophistication,” said Cory Wilson, Deputy Assistant Secretary for Cybersecurity. “This initiative expands access to actionable threat information that helps firms strengthen defenses, reduce risk, and respond more effectively to incidents.”

Eligible U.S. digital asset firms and industry organizations that meet Treasury’s criteria will be able to receive, at no cost, the same actionable cybersecurity information Treasury regularly shares with traditional U.S. financial institutions. Interested firms are encouraged to contact OCCIP at OCCIP-Coord@treasury.gov for more information.

 

Treasury Sanctions Exploit Broker Network for Theft and Sale of U.S. Government Cyber Tools

February 24, 2026

First-Ever Action Under the Protecting American Intellectual Property Act

WASHINGTON — Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated Sergey Sergeyevich Zelenyuk (Zelenyuk) and his company, Matrix LLC (doing business as Operation Zero), as well as five associated individuals and entities, for their acquisition and distribution of cyber tools harmful to U.S. national security.  Zelenyuk and Operation Zero trade in “exploits”—pieces of code or techniques that take advantage of vulnerabilities in a computer program to allow users to gain unauthorized access, steal information, or take control of an electronic device—and have offered rewards to anyone who will provide them with exploits for U.S.-built software.  Among the exploits that Operation Zero acquired were at least eight proprietary cyber tools, which were created for the exclusive use of the U.S. government and select allies and which were stolen from a U.S. company.  Operation Zero then sold those stolen tools to at least one unauthorized user.

“If you steal U.S. trade secrets, we will hold you accountable,” said Secretary of the Treasury Scott Bessent.  “Treasury will continue to work alongside the rest of the Trump Administration to protect sensitive American intellectual property and safeguard our national security.”

This action coincides with an investigation by the Department of Justice and the Federal Bureau of Investigation of Peter Williams, an Australian national and a former employee of the aforementioned U.S. company who pleaded guilty on October 29, 2025, to two counts of theft of trade secrets. 

Williams stole several proprietary cyber tools from the company between 2022 and 2025 and sold them to Operation Zero in exchange for millions of dollars paid in cryptocurrencies.

OFAC is designating Zelenyuk, Operation Zero, and the five associated individuals and entities pursuant to Executive Order (E.O.) 13694, as further amended by E.O. 14306 (“E.O. 13694, as further amended”).  In parallel with this action, the Department of State is sanctioning Zelenyuk, Operation Zero, and an affiliated UAE company, Special Technology Services LLC FZ (STS) pursuant to the Protecting American Intellectual Property Act (PAIPA).  These are the first persons sanctioned under this law, which provides for sanctions against persons who have knowingly engaged in, or benefitted from, significant theft of trade secrets of United States persons, if the theft of such trade secrets is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.  Please refer to the Department of State’s press release for more information about this action under PAIPA. 

ZELENYUK’S ACQUISITION AND SALE OF CYBER TOOLS

Russian national Zelenyuk,through his St. Petersburg, Russia-headquartered company Operation Zero, has been active as an exploit broker since 2021.  Operation Zero has offered millions of dollars in bounties to cybersecurity researchers and others for the development or acquisition of exploits targeting commonly used software, including U.S.-built operating systems and encrypted messaging applications.  Operation Zero does not disclose the discovered exploits to the companies developing the affected software, and Operation Zero customers could use the tools to launch ransomware attacks or engage in other malign activities.  In advertisements and other public-facing materials, Zelenyuk and Operation Zero have stated that they will only sell the exploits they acquire to customers from non-NATO countries.  Zelenyuk, through Operation Zero, has sought to sell exploits to foreign intelligence agencies.  Zelenyuk and Operation Zero have also sought to develop other cyber intelligence systems, including spyware and methods to extract personal identifying information and other sensitive data uploaded by users of artificial intelligence applications like large language models.  Operation Zero has sought to recruit hackers to support its activities and develop business relationships with foreign intelligence agencies through use of social media.

OFAC is designating Zelenyuk and Operation Zero pursuant to E.O. 13694, as further amended, for being responsible for or complicit in, or having engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a threat to the national security, foreign policy, or economic health or financial stability of the United States, and that have the purpose of or involve causing a misappropriation of funds or economic resources, intellectual property, proprietary or business confidential information, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.

. . .

US Treasury Department CFIUS Proposed Regulations Released

The U.S. Treasury Department has recently issued new regulations for review concerning the Committee on Foreign Investment in the United States (CFIUS).  CFIUS reviews transactions implicating national security concerns.  The Fact Sheet concerning the new proposed regulations from the U.S. Treasury Department states: 

FIRRMA Provisions on Non-Controlling Investments

FIRRMA expands CFIUS’s jurisdiction beyond transactions that could result in foreign control of a U.S. business to also include a non-controlling investment, direct or indirect, by a foreign person that affords the foreign person: 

access to any material nonpublic technical information in the possession of the U.S. business;  membership or observer rights on the board of directors or equivalent governing body of the U.S. business or the right to nominate an individual to a position on the board of directors or equivalent governing body; or any involvement, other than through voting of shares, in substantive decisionmaking of the U.S. business regarding— the use, development, acquisition, safekeeping, or release of sensitive personal data of U.S. citizens maintained or collected by the U.S. business; the use, development, acquisition, or release of critical technologies; or the management, operation, manufacture, or supply of critical infrastructure.  

This new authority only applies to a non-controlling investment in a U.S. business that:  produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies;   owns, operates, manufactures, supplies, or services critical infrastructure; or maintains or collects sensitive personal data of U.S. citizens that may be exploited in a manner that threatens national security.

FIRRMA also requires that CFIUS prescribe regulations that further define the term “foreign person” in the context of non-controlling investments by specifying criteria to limit its applicability over certain categories of foreign persons.

Key Aspects of the Proposed Regulations Regarding “Covered Investments”

Types of investments covered:  Non-controlling investments that afford a foreign person certain access, rights, or involvement in certain U.S. businesses (referred to as “covered investments”).

Largely a voluntary process:  Process remains largely voluntary, where parties may file a notice or submit a short-form declaration notifying CFIUS of a covered investment in order to receive a potential “safe harbor” letter (after which CFIUS does not initiate a review of a transaction except in certain limited circumstances).  In some circumstances, filing a declaration for a transaction is mandatory.  In particular, FIRRMA creates a mandatory declaration requirement for specified covered transactions where a foreign government has a “substantial interest”.  Additionally, FIRRMA authorizes CFIUS to mandate declarations for covered transactions involving certain U.S. businesses that produce, design, test, manufacture, fabricate, or develop one or more critical technologies.  

U.S. businesses covered:  The new provisions on covered investments only apply to investments in U.S. businesses involved in specified ways with critical technologies, critical infrastructure, or sensitive personal data—referred to as “TID U.S. businesses” for technology, infrastructure, and data.  

 Critical technologies:  CFIUS may review transactions related to U.S. businesses that design, test, manufacture, fabricate, or develop one or more critical technologies.  “Critical technologies” is defined to include certain items subject to export controls and other existing regulatory schemes, as well as emerging and foundational technologies controlled pursuant to the Export Control Reform Act of 2018.  

 Critical infrastructure:  CFIUS may review transactions related to U.S. businesses that perform specified functions—owning, operating, manufacturing, supplying, or servicing—with respect to critical infrastructure across subsectors such as telecommunications, utilities, energy, and transportation, each as identified in an appendix to the proposed regulations.  

 Sensitive personal data:  CFIUS may review transactions related to U.S. businesses that maintain or collect sensitive personal data of U.S. citizens that may be exploited in a manner that threatens national security. “Sensitive personal data” is defined to include ten categories of data maintained or collected by U.S. businesses that (i) target or tailor products or services to sensitive populations, including U.S. military members and employees of federal agencies involved in national security, (ii) collect or maintain such data on at least one million individuals, or (iii) have a demonstrated business objective to maintain or collect such data on greater than one million individuals and such data is an integrated part of the U.S. business’s primary products or services.  The categories of data include types of financial, geolocation, and health data, among others.  Genetic information is also included in the definition regardless of whether it meets (i), (ii), or (iii).  

 Foreign person and excepted investor:  The regulations create an exception from “covered investments” for certain foreign persons defined as “excepted investors” based on their ties to certain countries identified as “excepted foreign states,” and their compliance with certain laws, orders, and regulations.  The regulations do not except these persons from control transactions previously subject to CFIUS jurisdiction; investments from all foreign persons remain subject to CFIUS’s jurisdiction over transactions that could result in foreign control of a U.S. business.

FIRRMA Provisions on Real Estate Transactions

In FIRRMA, Congress authorized CFIUS to review “the purchase or lease by, or a concession to, a foreign person of private or public real estate that”

“is, is located within, or will function as part of, an air or maritime port…” 

“is in close proximity to a United States military installation or another facility or property of the United States Government that is sensitive for reasons relating to national security;”

 “could reasonably provide the foreign person the ability to collect intelligence on activities being conducted at such an installation, facility, or property; or”

 “could otherwise expose national security activities at such an installation, facility, or property to the risk of foreign surveillance.”

 Pursuant to FIRRMA, this authority does not extend to “a single ‘housing unit.’”  This authority also does not apply to “real estate in ‘urbanized areas’ . . . except as otherwise prescribed by [CFIUS] in regulations in consultation with the Secretary of Defense.” (emphasis added)

 FIRRMA directs CFIUS to “prescribe regulations to ensure that the term “close proximity” refers only to a distance or distances within which the purchase, lease, or concession of real estate could pose a national security risk.”

 FIRRMA also requires that CFIUS prescribe regulations that further define the term “foreign person” for real estate transactions by specifying criteria to limit its applicability over certain categories of foreign persons.

The full text of the regulations is available, here.